Created
July 27, 2021 17:23
-
-
Save mgraeber-rc/f510cc3f87d839ed1c9b9f3efe851a05 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Create a scratch directory as the destination for drivers that would have failed to load due to WHQL enforcement. | |
mkdir Drivers | |
# After a reboot, list all drivers that would have failed WHQL enforcement - i.e. event ID 3082 events | |
Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-CodeIntegrity/Operational'; Id = 3082 } | ForEach-Object { "C:$($_.Properties[1].Value)" } | Sort-Object -Unique | Get-ChildItem | Copy-Item -Destination .\Drivers\ | |
# Get signer information for all the affected drivers | |
$DriverSigners = Get-SystemDriver -ScanPath .\Drivers\ -NoScript -NoShadowCopy | |
# Build a WHQLPublisher allow rule for the WHQL signed drivers that will only allow WHQL-signed drivers issued to a specific vendor. | |
$DriverPolicyRules = New-CIPolicyRule -DriverFiles $DriverSigners -Level WHQLPublisher | |
# Merge the generated rules with your existing base policy | |
Merge-CIPolicy -OutputFilePath Merged.xml -PolicyPaths .\DefaultWindows_Audit.xml -Rules $DriverPolicyRules |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment